bpf: fix arraymap NULL deref and missing overflow and zero size checks

[deliverable/linux.git] / net / phonet / datagram.c

diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c
index 38946b26e471c9754c922d3451e8ec2682f5ae3d..0918bc21eae6483f4f98cbdcbf9063b0b2cc10fd 100644 (file)
--- a/net/phonet/datagram.c
+++ b/net/phonet/datagram.c
@@ -86,7 +86,7 @@ static int pn_init(struct sock *sk)
 static int pn_sendmsg(struct kiocb *iocb, struct sock *sk,
                        struct msghdr *msg, size_t len)
 {
-       struct sockaddr_pn *target;
+       DECLARE_SOCKADDR(struct sockaddr_pn *, target, msg->msg_name);
        struct sk_buff *skb;
        int err;
 
@@ -94,13 +94,12 @@ static int pn_sendmsg(struct kiocb *iocb, struct sock *sk,
                                MSG_CMSG_COMPAT))
                return -EOPNOTSUPP;
 
-       if (msg->msg_name == NULL)
+       if (target == NULL)
                return -EDESTADDRREQ;
 
        if (msg->msg_namelen < sizeof(struct sockaddr_pn))
                return -EINVAL;
 
-       target = (struct sockaddr_pn *)msg->msg_name;
        if (target->spn_family != AF_PHONET)
                return -EAFNOSUPPORT;
 
@@ -151,7 +150,7 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
                copylen = len;
        }
 
-       rval = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copylen);
+       rval = skb_copy_datagram_msg(skb, 0, msg, copylen);
        if (rval) {
                rval = -EFAULT;
                goto out;
@@ -160,6 +159,7 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
        rval = (flags & MSG_TRUNC) ? skb->len : copylen;
 
        if (msg->msg_name != NULL) {
+               __sockaddr_check_size(sizeof(sa));
                memcpy(msg->msg_name, &sa, sizeof(sa));
                *addr_len = sizeof(sa);
        }